networking:cisco:vty

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
networking:cisco:vty [2026/02/02 12:30] – [SSH] ilyasanetworking:cisco:vty [2026/02/02 12:44] (current) – [Konfigurasi SSH] ilyasa
Line 97: Line 97:
   * **Step 1 – Verifikasi IOS Mendukung SSH**   * **Step 1 – Verifikasi IOS Mendukung SSH**
      
-Pastikan image IOS mendukung SSH. IOS yang mendukung SSH ditandai dengan adanya ''K9'' pada nama image.+Untuk mengonfigurasi SSH, kunci RSA harus dibuat, yang digunakan untuk enkripsi, dekripsi, dan autentikasi data, dan ini dapat dilakukan setelah memastikan image iOS mendukung SSH
  
 +Image IOS yang mendukung SSH akan memiliki 'K9' pada namanya.
 +contoh :
 <code> <code>
 R1#show version R1#show version
-Cisco IOS Software, IOSv Software (VIOS-ADVENTERPRISEK9-M), +Cisco IOS Software, IOSv Software (VIOS-ADVENTERPRISEK9-M), Version 15.9(3)M6, RELEASE SOFTWARE (fc1) 
-Version 15.9(3)M6, RELEASE SOFTWARE (fc1)+Technical Support: http://www.cisco.com/techsupport 
 +Copyright (c) 1986-2022 by Cisco Systems, Inc. 
 +Compiled Mon 08-Aug-22 15:22 by mcpre 
 +...
 </code> </code>
  
Line 110: Line 115:
      
 Domain name diperlukan untuk membentuk **FQDN (Fully Qualified Domain Name)** yang akan digunakan sebagai nama RSA key. Domain name diperlukan untuk membentuk **FQDN (Fully Qualified Domain Name)** yang akan digunakan sebagai nama RSA key.
- 
 <code> <code>
 R1(config)#ip domain name labyas.my.id R1(config)#ip domain name labyas.my.id
Line 128: Line 132:
  
 <code> <code>
 +R1(config)#crypto key generate rsa
 The name for the keys will be: R1.labyas.my.id The name for the keys will be: R1.labyas.my.id
 +Choose the size of the key modulus in the range of 360 to 4096 for your
 +  General Purpose Keys. Choosing a key modulus greater than 512 may take
 +  a few minutes.
 </code> </code>
  
Line 151: Line 159:
  
 <code> <code>
 +R1(config)#
 *Dec 22 10:28:29.531: %SSH-5-ENABLED: SSH 1.99 has been enabled *Dec 22 10:28:29.531: %SSH-5-ENABLED: SSH 1.99 has been enabled
 </code> </code>
Line 158: Line 167:
 <code> <code>
 R1#show ip ssh R1#show ip ssh
 +SSH Enabled - version 1.99
 +Authentication methods:publickey,keyboard-interactive,password
 +Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
 +Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
 +Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
 +MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96
 +KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
 +Authentication timeout: 120 secs; Authentication retries: 3
 +Minimum expected Diffie Hellman key size : 2048 bits
 +IOS Keys in SECSH format(ssh-rsa, base64 encoded): R1.labyas.my.id
 +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHjXiLjNODKOGzDSqds1fCkioEwYxDFAt5u35Rxd2O
 +BcSJNnjIM2Z3OjZjORP3P+X/iz2E1szTe2/NkH/1+6zNEjMa52t7YyhTldVGceaPidgPEzO3GltMnUSJ
 +591NNObxMWWOzkO2w75p6MJqOXTem2pT0PedVS6Qe6m6KdLvEGfSw/C9DwcDMl4j9dU/DJtlI3F+lOsH
 +WVMk/gK52cWjW37VV+m7TCPI02zaCloOgCwy9TJdwF6gKWBk6sNVcTWVn84O3M5LJ7/BQlevr0lbFufY
 +Im/iIkc9OzN+zvGxs9DHrtCU24p/uspl1EMqpZ4fyFkqzrrpdtQwrSQA+5Ql
 </code> </code>
  
 ---- ----
  
-  * **Step 6 – (Optional) Konfigurasi Username dan ACL** +  * **Step 6 – Konfigurasi VTY** 
-   +Sekarang hanya perlu mengaktifkan ssh pada ''vty line 0 5'' sama dengan konfigurasi telnet dengan ''transport input ssh''
-Username digunakan untuk autentikasi login SSHsedangkan ACL membatasi subnet yang diizinkan mengakses VTY line.+
  
 <code> <code>
-R1(config)#username ilyasa secret ccna 
-R1(config)#access-list 1 permit 192.168.122.0 0.0.0.255 
-</code> 
- 
----- 
- 
-  * **Step 7 – Konfigurasi VTY Line** 
-   
-SSH diaktifkan pada VTY line. Secara default tersedia 5 line (0–4). 
- 
-<code> 
-R1(config)#line vty 0 4 
-</code> 
- 
----- 
- 
-  * **Step 8 – Konfigurasi Keamanan VTY** 
-   
-Beberapa perintah tambahan untuk meningkatkan keamanan akses SSH: 
-  * ''login local'' → autentikasi menggunakan user lokal   
-  * ''exec-timeout'' → memutus sesi idle   
-  * ''access-class'' → membatasi akses berdasarkan ACL   
- 
-<code> 
-R1(config-line)#login local 
-R1(config-line)#exec-timeout 5 0 
-R1(config-line)#access-class 1 in 
-</code> 
- 
----- 
- 
-  * **Step 9 – Konfigurasi Transport Input** 
-   
-Batasi VTY agar **hanya menerima koneksi SSH**. 
- 
-<code> 
-R1(config-line)#transport input ssh 
-</code> 
- 
----- 
- 
-=== Full Konfigurasi SSH ==== 
- 
-<code> 
-ip domain name labyas.my.id 
 username ilyasa secret ccna username ilyasa secret ccna
 access-list 1 permit 192.168.122.0 0.0.0.255 access-list 1 permit 192.168.122.0 0.0.0.255
- 
-crypto key generate rsa 
  
 line vty 0 4 line vty 0 4
Line 223: Line 199:
  transport input ssh  transport input ssh
 </code> </code>
- 
----- 
  
 === Hasil Test SSH ==== === Hasil Test SSH ====
 +
 +<WRAP center round info 90%>
 +Opsi ''-o HostKeyAlgorithms=+ssh-rsa'' digunakan karena klien SSH modern secara default menonaktifkan algoritma ''ssh-rsa'' yang berbasis SHA-1 dan dianggap tidak aman, sementara banyak perangkat Cisco IOS lama masih menggunakan algoritma tersebut sebagai host key. Dengan menambahkan opsi ini, klien SSH dipaksa untuk mengizinkan kembali ''ssh-rsa'' agar koneksi ke perangkat Cisco lama tetap dapat dilakukan, dan sebaiknya hanya digunakan untuk lab atau pembelajaran.
 +</WRAP>
 +
  
 <code> <code>
 ilyasa@lept0p:~$ ssh -o HostKeyAlgorithms=+ssh-rsa [email protected] ilyasa@lept0p:~$ ssh -o HostKeyAlgorithms=+ssh-rsa [email protected]
-</code> 
  
-<code> 
 The authenticity of host '192.168.122.19 (192.168.122.19)' can't be established. The authenticity of host '192.168.122.19 (192.168.122.19)' can't be established.
 RSA key fingerprint is SHA256:umrNu6vY+tTho9GDL4/jyZLiZH+eqCnrMxCrflty0Ro. RSA key fingerprint is SHA256:umrNu6vY+tTho9GDL4/jyZLiZH+eqCnrMxCrflty0Ro.
-Are you sure you want to continue connecting (yes/no)? yes +This key is not known by any other names. 
-</code>+Are you sure you want to continue connecting (yes/no/[fingerprint])? yes 
 +Warning: Permanently added '192.168.122.19' (RSA) to the list of known hosts.
  
-<code>+************************************************************************** 
 +* IOSv is strictly limited to use for evaluation, demonstration and IOS  * 
 +* education. IOSv is provided as-is and is not supported by Cisco'     * 
 +* Technical Advisory Center. Any use or disclosure, in whole or in part, * 
 +* of the IOSv Software or Documentation to any third party for any       * 
 +* purposes is expressly prohibited except as otherwise authorized by     * 
 +* Cisco in writing.                                                      * 
 +********************************* ****************************************
 ([email protected]) Password: ([email protected]) Password:
 +
 +
 +
 +**************************************************************************
 +* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
 +* education. IOSv is provided as-is and is not supported by Cisco'     *
 +* Technical Advisory Center. Any use or disclosure, in whole or in part, *
 +* of the IOSv Software or Documentation to any third party for any       *
 +* purposes is expressly prohibited except as otherwise authorized by     *
 +* Cisco in writing.                                                      *
 +**************************************************************************
 R1> R1>
 </code> </code>
  • networking/cisco/vty.1770010245.txt.gz
  • Last modified: 2026/02/02 12:30
  • by ilyasa